A blog about Cyber Security & Compliance

Month

June 2014

At the Gartner Security & Risk Management Summit they highlighted the top 10 technologies for information security and their implications for security organisations in 2014.

Enterprises are dedicating increasing resources to security and risk. Nevertheless, attacks are increasing in frequency and sophistication. Advanced targeted attacks and security vulnerabilities in software only add to the headaches brought by the disruptiveness of the Nexus of Forces, which brings mobile, cloud, social and big data together to deliver new business opportunities,” said Neil MacDonald, vice president and Gartner Fellow. “With the opportunities of the Nexus come risks. Security and risk leaders need to fully engage with the latest technology trends if they are to define, achieve and maintain effective security and risk management programs that simultaneously enable business opportunities and manage risk

Gartner believes the top 10 technologies for information security are:

1. Cloud Access Security Brokers

Cloud access security brokers are on-premises or cloud-based security policy enforcement points placed between cloud services consumers and cloud services providers to interject enterprise security policies as the cloud-based resources are accessed. In many cases, initial adoption of cloud-based services has occurred outside the control of IT, and cloud access security brokers offer enterprises to gain visibility and control as its users access cloud resources.

2. Adaptive Access Control

Adaptive access control is a form of context-aware access control that acts to balance the level of trust against risk at the moment of access using some combination of trust elevation and other dynamic risk mitigation techniques. Context awareness means that access decisions reflect current condition, and dynamic risk mitigation means that access can be safely allowed where otherwise it would have been blocked. Use of an adaptive access management architecture enables an enterprise to allow access from any device, anywhere, and allows for social ID access to a range of corporate assets with mixed risk profiles.

3. Pervasive Sandboxing (Content Detonation) and IOC Confirmation

Some attacks will inevitably bypass traditional blocking and prevention security protection mechanisms, in which case it is key to detect the intrusion in as short a time as possible to minimize the hacker’s ability to inflict damage or exfiltrate sensitive information. Many security platforms now included embedded capabilities to run (“detonate”) executables and content in virtual machines (VMs) and observe the VMs for indications of compromise. This capability is rapidly becoming a feature of a more-capable platform, not a stand-alone product or market. Once a potential incident has been detected, it needs to be confirmed by correlating indicators of compromise across different entities, for example, comparing what a network-based threat detection system sees in a sandboxed environment to what is being observed on actual endpoints in terms of processes, behaviors, registry entries and so on.

4. Endpoint Detection and Response Solutions

The endpoint detection and response (EDR) market is an emerging market created to satisfy the need for continuous protection from advanced threats at endpoints (desktops, servers, tablets and laptops), most notably significantly improved security monitoring, threat detection and incident response capabilities. These tools record numerous endpoint and network events and store this information in a centralized database. Analytics tools are then used to continually search the database to identify tasks that can improve the security state to deflect common attacks, to provide early identification of on going attacks (including insider threats), and to rapidly respond to those attacks. These tools also help with rapid investigation into the scope of attacks, and provide remediation capability.

Going forward, all effective security protection platforms will include domain-specific embedded analytics as a core capability. An enterprise’s continuous monitoring of all computing entities and layers will generate a greater volume, velocity and variety of data than traditional SIEM systems can effectively analyse. Gartner predicts that by 2020, 40% of enterprises will have established a “security data warehouse” for the storage of this monitoring data to support retrospective analysis. By storing and analysing the data over time, and by incorporating context and including outside threat and community intelligence, patterns of “normal” can be established and data analytics can be used to identify when meaningful deviations from normal have occurred.

The ability to integrate with external context and intelligence feeds is a critical differentiator for next-generation security platforms. Third-party sources for machine-readable threat intelligence are growing in number and include a number of reputation feed alternatives. Reputation services offer a form of dynamic, real-time “trustability” rating that can be factored into security decisions. For example, user and device reputation as well as URL and IP address reputation scoring can be used in end-user access decisions.

7. Containment and Isolation as a Foundational Security Strategy

In a world where signatures are increasingly ineffective in stopping attacks, an alternative strategy is to treat everything that is unknown as untrusted and isolate its handling and execution so that it cannot cause permanent damage to the system it is running on and cannot be used as a vector for attacks on other enterprise systems. Virtualization, I\isolation, abstraction and remote presentation techniques can be used to create this containment so that, ideally, the end result is similar to using a separate “air-gapped” system to handle untrusted content and applications. Virtualization and containment strategies will become a common element of a defense-in-depth protection strategy for enterprise systems, reaching 20% adoption by 2016 from nearly no widespread adoption in 2014.

8. Software-defined Security

“Software defined” is about the capabilities enabled as we decouple and abstract infrastructure elements that were previously tightly coupled in our data centers: servers, storage, networking, security and so on. Like networking, compute and storage, the impact on security will be transformational. Software-defined security doesn’t mean that some dedicated security hardware isn’t still needed, it is. However, like software-defined networking, the value and intelligence moves into software.

9. Interactive Application Security Testing

Interactive application security testing (IAST) combines static application security testing (SAST) and dynamic application security testing (DAST) techniques. This aims to provide increased accuracy of application security testing through the interaction of the SAST and DAST techniques. IAST brings the best of SAST and DAST into a single solution. This approach makes it possible to confirm or disprove the exploitability of the detected vulnerability and determine its point of origin in the application code.

10. Security Gateways, Brokers and Firewalls to Deal with the Internet of Things

Enterprises, especially those in asset-intensive industries like manufacturing or utilities, have operational technology (OT) systems provided by equipment manufacturers that are moving from proprietary communications and networks to standards-based, IP-based technologies. More enterprise assets are being automated by OT systems based on commercial software products. The end result is that these embedded software assets need to be managed, secured and provisioned appropriately for enterprise-class use. OT is considered to be the industrial subset of the “Internet of Things,” which will include billions of interconnected sensors, devices and systems, many of which will communicate without human involvement and that will need to be protected and secured.

Like this:

According to IDG research in a CSG Invotas white paper “Security Automation: Time to Take a Fresh Look” most organisations struggle to resolve the effects of a breach.

There’s no doubt that improving intrusion response and resolution times reduces the window of exposure from a breach,” said Jen McKean, research director at IDG Research. “More companies seek security automation tools that will enable them to resolve breaches in mere seconds and help maintain business-as-usual during the remediation period

Researchers polled decision makers of information security, strategy, and solution implementations at companies with 500 or more employees. They explored the security challenges commercial organizations face when confronted with security breaches across their networks. Key findings include:

46% of respondents report an average detection time of hours or days

54% reporting average resolution times of days or months

On going management of electronic identities that control access to enterprise, cloud, and mobile resources take the most time to change or update during a security event

A majority of respondents seek ways to reduce response time in order to address risk mitigation, preserve their company’s reputation, and protect customer data

61% of respondents admit they are looking for ways to improve response times to security events

82% of respondents report no decrease in the number of network security events or breaches last year whilst more than a quarter of those surveyed report an increase

60% of IT Security Resources dedicated to protecting the network layer

10% of respondents reporting they’re able to resolve issues in seconds or minutes; 54% say it takes days, weeks or months

28% of respondents say the number of security events or breaches increased in 2013

24% report that the severity of incidents increased

39% of respondents say they can detect a security breach within seconds or minute

Business process automation solutions offer a new approach to the most difficult step in security operations: taking immediate and coordinated action to stop security attacks from proliferating. Building digital workflows that can be synchronized across an enterprise allows a rapid counter-response to cyber-attacks. Speed, accuracy, and efficiency are accomplished by applying carrier-grade technology, replicating repetitive actions with automated workflows, and reducing the need for multiple screens.

It is no longer a surprise to hear that a breach has compromised data related to customers, employees, or partners,” said Paul Nguyen, president of global security solutions at CSG Invotas. “CIOs recognize that they need faster, smarter ways to identify security breaches across their enterprises. More importantly, they need faster, smarter ways to respond with decisive and coordinated action to help protect threats against company reputation, customer confidence, and revenue growth

A quarter of respondents say they are comfortable with the idea of automating some security workflows and processes and that they deploy automation tools where they can. 57% of respondents say they are somewhat comfortable with automation for some low-level and a few high-level processes, but they still want security teams involved. On average, respondents report that 30% of their security workflows are automated today; but nearly two-thirds of respondents expect they will automate more security workflows in the coming year.

Like this:

The 2014 Debit Issuer Study, commissioned by PULSE, found sustained growth in both consumer and business debit in 2013. Financial institutions weathered the Target data breach and are looking for solutions to enhance security, with many issuers now planning to implement EMV debit, the study shows. Debit program performance continues to improve, as active cardholders increase their usage of debit.

Key findings include:

Consumers continue to shift to electronic payments, with transactions per active card increasing to 20.1 per month from 19.4 a year earlier.

84% of financial institutions reissued all exposed cards in response to Target, compared to only 29% that typically reissue all exposed cards as a standard response to breaches.

86% of financial institutions stated that they plan to begin issuing EMV cards in the next two years, a significant increase from 50% in 2012.

In the wake of several high-profile data breaches, the industry has come together to look for solutions to increase security and advance EMV implementation,” said Steve Sievert, executive vice president of marketing and communications for PULSE. “While PIN debit remains the most secure payment method in the market, this year’s study confirms the industry is reaching a tipping point toward EMV. The majority of financial institutions plan to issue EMV debit cards starting in 2015

Target breach was watershed event

The Target breach impacted every financial institution that participated in the study, causing fraud loss rates to increase in 2013 and compelling issuers to re-evaluate their strategies for improving card security in 2014, the study found.

Overall, 14% of all debit cards were exposed in data breaches in 2013, compared to 5% in 2012. The resulting 2013 fraud losses to financial institutions amounted to 5.7 basis points for signature debit and 0.7 basis points for PIN debit. Compared with the prior year, PIN debit fraud loss rates remained constant at 0.3 cents per transaction, on average, while signature debit loss rates increased to 2.2 cents per transaction, up from 2.0 cents.

Data breaches heightened attention to issues of debit card security. Prior to the Target incident, many financial institutions were hesitant to commit to EMV because of uncertainty around retailer adoption of chip card point-of-sale terminals, questions about the viability of the business case for migrating from magnetic stripe cards to chip cards, as well as unresolved issues related to regulation and support for merchant routing choice. In many ways, the Target breach served as a catalyst for the resolution of these issues.

The most common strategy among financial institutions is to provide account holders with an EMV debit card as part of their regular card reissuance cycle. Migration to EMV debit cards will begin in earnest in early 2015 and will span approximately three years, with many issuers attempting to provide chip cards to their international travellers and heavy debit users in advance of the liability shift in October 2015.

We were quite surprised by the across-the-board embrace of EMV by debit issuers,” said Tony Hayes, a partner at Oliver Wyman who co-led the study. “There has been a dramatic shift from issuers’ tepid interest last year to their active plans to implement EMV beginning in 2015

Debit continues to grow, as issuers focus on growth strategies

Outside of the challenges caused by data breaches, debit continued its growth trajectory in 2013. On the consumer side, the primary performance improvement was in transactions per active card per month, which rose to 20.1 in 2013 from 19.4 in 2012. Other metrics, such as penetration, active rate and ticket size, remained consistent year-over-year. There was an uptick in usage of business debit cards: transactions per active card per month grew to 14.5 from 13.5.

Continuing historical trends, signature debit declined in share of total transactions between 2012 and 2013, falling to 62% from 64% for consumer cards, and to 70% from 72% for business cards. As regulated issuers (those with more than $10 billion in global assets) receive equivalent interchange for signature and PIN transactions but incur lower costs on PIN transactions, large debit issuers now tend to prefer PIN transactions.

As issuers continue to promote the migration of cash payments to cards, PULSE expects overall ATM use to naturally decline. In 2013, ATM withdrawals reached a study-wide low of 2.3 per active card per month. Large banks expect ATM transactions to continue to decline, but community banks and credit unions project increased ATM transaction volume as they seek to drive traffic from the branch to the ATM.

Like this:

I thought I had published this months ago but found it still in my drafts.

2013 was a very busy year for the UK’s Information Commissioners Office (ICO) as he issued record numbers of fines and enforcements.

There are normally three types of punishments administered by the ICO:-

Monetary. The most serious of the actions and one normally reserved for organisational entities.

Undertaking. Typically applied when an organisation has failed to adhere to good business practise and needs the helping guidance of the ICO

Prosecutions. Normally reserved for individuals who have blatantly breached the Act and like 2012 there were not many in 2013.

The complete list of those who fell foul of the Data Protection Act in 2013 is below:-

Monetary penalty notices

A monetary penalty will only be served in the most serious situations. When deciding the size of a monetary penalty, the ICO takes into account the seriousness of the breach and other factors like the size, financial and other resources of an organisation’s data controller. The ICO can impose a penalty of up to £500,000. It is worth noting that monetary penalties are to HM Treasury. The size of the fines might change with the pending revision to the Data Protection Act.

The list has the most recent first.

16 December 2013. A monetary penalty notice has been served on First Financial (UK) Limited after the pay day Loans Company sent millions of spam text messages.

29 October 2013. A monetary penalty notice has been served on North East Lincolnshire Council after the loss of an unencrypted memory device containing personal data and sensitive personal data relating to 286 children.

22 October 2013. A monetary penalty notice has been served on the Ministry of Justice for failing to keep personal data securely, after spreadsheets showing prisoners’ details were emailed to members of the public in error.

26 September 2013. A monetary penalty notice has been served on Jala Transport, a small money-lending business, after the theft of an unencrypted portable hard drive containing its customer database.

29 August 2013. A monetary penalty notice has been served on Aberdeen City Council after inadequate home working arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.

23 August 2013. A monetary penalty notice has been served to Islington Borough Council after personal details of over 2,000 residents were released online via the What Do They Know (WDTK) website.

5 August 2013. A monetary penalty notice has been served to the Bank of Scotland after customers’ account details were repeatedly faxed to the wrong recipients. The information included payslips, bank statements, account details and mortgage applications, along with customers’ names, addresses and contact details.

12 July 2013. A monetary penalty notice has been served on NHS Surrey following the discovery of sensitive personal data belonging to thousands of patients on hard drives sold on an online auction site. Whilst NHS Surrey has now been dissolved outstanding issues are now being dealt with by the Department of Health.

8 July 2013. A monetary penalty notice has been served to Tameside Energy Services Ltd after the Manchester based company blighted the public with unwanted marketing calls.

18 June 2013. Monetary penalty notices have been served to Nationwide Energy Services and We Claim You Gain – both companies are part of Save Britain Money Ltd based in Swansea. The penalties were issued after the companies were found to be responsible for over 2,700 complaints to the Telephone Preference Service or reports to the ICO using its online survey, between 26 May 2011 and end of December 2012.

13 June 2013. A monetary penalty notice has been served to North Staffordshire Combined Healthcare NHS Trust, after several faxes containing sensitive personal data were sent to a member of the public in error.

7 June 2013. A monetary penalty notice has been served to Glasgow City Council, following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.

5 June 2013. A monetary penalty notice has been served to Halton Borough Council, in respect of an incident in which the home address of adoptive parents was wrongly disclosed to the birth family.

3 June 2013. A monetary penalty has been served to Stockport Primary Care Trust following the discovery of a large number of patient records at a site formerly owned by the Trust.

20 March 2013. A monetary penalty has been served to DM Design Bedroom Ltd. The company has been the subject of nearly 2,000 complaints to the ICO and the Telephone Preference Service. The company consistently failed to check whether individuals had opted out of receiving marketing calls and responded to just a handful of the complaints received.

15 February 2013. A monetary penalty has been served to the Nursing and Midwifery Council. The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.

24 January 2013. A monetary penalty has been served to the entertainment company Sony Computer Entertainment Europe Limited following a serious breach of the Data Protection Act. The penalty comes after the Sony PlayStation Network Platform was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth and account passwords. Customers’ payment card details were also at risk. Appeal withdrawn.

Undertakings

Undertakings are formal agreements between an organisation and the ICO to undertake certain actions to avoid future breaches of the Data Protection Act, typically this involves, Encryption, Training and Management Procedures.

The list has the most recent first.

20 December 2013. A follow up has been completed to provide an assurance that Luton Borough Council has appropriately addressed the actions agreed in its undertaking signed September 2013.

26 November 2013. An undertaking to comply with the seventh data protection principle has been signed by the Royal Borough of Windsor & Maidenhead, following an incident in which restricted information about employees was disclosed on its intranet in error.

22 November 2013. An undertaking to comply with the Privacy and Electronic Communications Regulations has been signed by Better Together. The organisation must neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail to individual subscribers unless the recipient of the electronic mail has previously notified Better Together that they consent. A follow up has been completed to provide an assurance that Foyle Women’s Aid has appropriately addressed the actions agreed in its undertaking signed August 2013.

21 November 2013. An undertaking to comply with the seventh data protection principle has been signed by Great Ormond Street Hospital for Children NHS Foundation Trust. This follows four incidents involving the accidental disclosure of sensitive personal data.

1 November 2013. A follow up has been completed to provide an assurance that The Health and Care Professions Council has appropriately addressed the actions agreed in its undertaking signed July 2013.

1 November 2013. A follow up has been completed to provide an assurance that Mansfield District Borough Council has appropriately addressed the actions agreed in its undertaking signed January 2013.

25 October 2013. A follow up has been completed to provide an assurance that The Burnett Practice has appropriately addressed the actions agreed in its undertaking signed in April 2013. An undertaking to comply with the seventh data protection principle has been signed by Panasonic UK. This follows the theft of an unencrypted laptop containing personal data relating to people who had attended a hospitality event run by a third party company on Panasonic’s behalf.

15 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by the Royal Veterinary College. This follows the loss of a memory card containing personal data. In addition, data protection training is not considered to be adequate and the RVC does not appear to be taking steps to address this proactively. This highlights a potentially serious failing in respect of staff awareness of Information Governance policies. Their investigation revealed that the device was personally owned by the employee and as such fell outside of the policies and procedures in place. However, the RVC does not appear to have accounted for the possibility of employees using their own devices in the workplace.

7 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by The Hillingdon Hospitals NHS Foundation Trust.

4 October 2013. An Undertaking to comply with the seventh data protection principle has been signed by the Cardiff & Vale University Health Board, following the loss of documents containing sensitive personal data by a consultant.

29 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Aberdeen City Council after inadequate home working arrangements led to 39 pages of personal data being uploaded onto the internet by a Council employee.

11 September 2013. An undertaking to comply with the seventh data protection principle has been signed by Luton Borough Council following several incidents involving inappropriate handling of sensitive personal data. Investigation of these incidents revealed that previous recommendations made by the ICO had not been implemented.

28 August 2013. An undertaking to comply with the sixth data protection principle has been signed by Cardiff City Council. The Council agreed to put measures in place to ensure greater compliance with subject access requests.

22 August 2013. An undertaking to comply with the seventh data protection principle has been signed by the Local Government Ombudsman. This follows the theft of a bag containing hard copy papers relating to complaints made to the Local Government Ombudsman (the LGO) including some SPD. It is felt that the provision of data protection training was insufficient to ensure staff awareness of policies and procedures relating to the use of personal data.

13 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Northern Health & Social Care Trust. This follows a number of security incidents which led to a formal investigation into the Trust’s compliance with the Act. One incident in May 2011, involved confidential service user information being faxed from a ward in Antrim Hospital to a local business in error. The investigation into the Trust revealed that despite the Trust having introduced what should have been mandatory Information Governance training for all staff, the majority of staff involved in these incidents had not received this training. This highlighted a potentially serious failing in respect of staff awareness of Information Governance policies. In particular, the failure to monitor and enforce staff completion of training was a concern.

13 August 2013. An undertaking to comply with the seventh data protection principle has been signed by Foyle Women’s Aid. This follows the temporary loss of a folder belonging to a Criminal Justice Support worker employed by Foyle Women’s Aid that was left in a café. The folder contained confidential client information. An apparent lack of effective controls and procedures for taking information out of the office was a contributor to the loss of highly sensitive personal data.

16 July 2013. An undertaking to comply with the seventh data protection principle has been signed by Janet Thomas. This follows a report made by a member of the public that approximately 7,435 CV files, containing personal data, were being stored unprotected on the website http://www.janetpage.com.

9 July 2013. An undertaking to comply with the seventh data protection principle has been signed by the Health & Care Professions Council (HCPC) after an incident in which papers containing personal data were stolen on a train in 2011.

12 June 2013. (issued 10 September 2012) An undertaking to comply with the seventh data protection principle has been signed by Bedford Borough Council relating to the removal of legacy data from a social care database.

12 June 2013 (issued 18 September 2012). An undertaking to comply with the seventh data protection principle has been signed by Central Bedfordshire Council relating to the removal of legacy data from a social care database and in relation to the preparation of planning application documentation for publication.

31 May 2013. A follow up has been completed to provide an assurance that Leeds City Council has appropriately addressed the actions agreed in its undertaking signed November 2012.

Prospect. A follow up has been completed to provide an assurance that Prospect has appropriately addressed the actions agreed in its undertaking signed January 2013.

21 May 2013 (issued 9 November 2011). An undertaking to comply with the seventh data protection principle has been signed by News Group Newspapers, following an attack on the website of The Sun newspaper in 2011.

26 April 2013. An undertaking to comply with the seventh data protection principle has been signed by The Burnett Practice. This follows an investigation whereby an email account used by the practice had been subject to a third party attack. The email account subject to the attack was used to provide test results to patients and included a list of names and email addresses.

4 April 2013. An undertaking to comply with the seventh data protection principle has been signed by the East Riding of Yorkshire Council, following incidents last year in which personal data was inappropriately disclosed.

25 January 2013. An undertaking to comply with the seventh data protection principle has been signed by the Managing Director of Mansfield District Council. This follows a number of incidents where personal data of housing benefit claimants was disclosed to the wrong landlord.

16 January 2013. An undertaking to comply with the seventh data protection principle has been signed by the union Prospect. This follows an incident in which two files containing personal details of approximately 19,000 members of the union had been sent to an unknown third party email address in error.

Prosecutions

The list has the most recent first.

3 December 2013. A former manager who oversaw the finances of a GP’s practice in Maidstone has been prosecuted by the ICO after unlawfully accessing the medical records of approximately 1,940 patients registered with the surgery. Steven Tennison was prosecuted under section 55 of the Data Protection Act at Maidstone Magistrates Court.

8 October 2013. A pay day loans company based in London and its director have been prosecuted after failing to register that the business was processing personal information. Hamed Shabani, the sole director of First Financial, was convicted under section 61 of the Data Protection Act at City of London Magistrates Court.

25 September 2013. A former Barclays Bank employee has been fined after illegally accessing the details of a customer’s account. In one case the employee, Jennifer Addo, found out the number of children the customer had and passed the details to the customer’s then partner, who was a friend of Ms Addo.

15 August 2013. A probation officer who revealed a domestic abuse victim’s new address to the alleged perpetrator has been fined £150 following a prosecution bought by the ICO.